Skip to main content

πŸ“ Azure Virtual Machine is not utilizing Managed Disks 🟒

  • Contextual name: πŸ“ Virtual Machine is not utilizing Managed Disks 🟒
  • ID: /ce/ca/azure/virtual-machine/virtual-machine-managed-disks
  • Located in: πŸ“ Azure Virtual Machines

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY
    • PERFORMANCE
    • COST

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-588af79c1

Logic​

Description​

Open File

Description​

Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:

  1. Default Disk Encryption.
  2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty.
  3. Reduction of costs over storage accounts.

Rationale​

Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.

For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.

Impact​

There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.

Audit​

From Azure Portal​
  1. Using the search feature, go to Virtual Machines.
  2. Click the Manage view dropdown, then select Edit columns.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Using the search feature, go to Virtual Machines.
  2. Select the virtual machine you would like to convert.
  3. Select Disks in the menu for the VM.
  4. At the top select Migrate to managed disks.
  5. You may follow the prompts to convert the disk and finish by selecting Migrate to start the process.

NOTE: VMs will be stopped and restarted after migration is complete.

From PowerShell​

Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 7.1 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Manual)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 7.2 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 7.2 Ensure Virtual Machines are utilizing Managed Disks - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 8.2 Ensure Virtual Machines are utilizing Managed Disks (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Performance Tuning3
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization3
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2021
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)512
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.1 Information security requirements analysis and specification66
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1010
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-2: A System Development Life Cycle to manage systems is implemented66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2527
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012